15.4 Code evaluation and security issues

Org provides tools to work with the code snippets, including evaluating them.

Running code on your machine always comes with a security risk. Badly
written or malicious code can be executed on purpose or by accident. Org has
default settings which will only evaluate such code if you give explicit
permission to do so, and as a casual user of these features you should leave
these precautions intact.

For people who regularly work with such code, the confirmation prompts can
become annoying, and you might want to turn them off. This can be done, but
you must be aware of the risks that are involved.

Code evaluation can happen under the following circumstances:

Source code blocks

Source code blocks can be evaluated during export, or when pressing C-c
C-c in the block. The most important thing to realize here is that Org mode
files which contain code snippets are, in a certain sense, like executable
files. So you should accept them and load them into Emacs only from trusted
sources—just like you would do with a program you install on your computer.

Make sure you know what you are doing before customizing the variables
which take off the default security brakes.

— User Option: org-confirm-babel-evaluate

When t (the default), the user is asked before every code block evaluation.
When nil, the user is not asked. When set to a function, it is called with
two arguments (language and body of the code block) and should return t to
ask and nil not to ask.

For example, here is how to execute "ditaa" code (which is considered safe)
without asking: